pix vpn radius authentication question

Discussion in 'Cisco' started by John Smith, Dec 1, 2004.

  1. John Smith

    John Smith Guest

    according to cisco:
    "Pix Firewall does not directly support WindowsNT/2000 domain
    authentication. To use Windows NT/2000 domain authentication with the PIX,
    use a RADIUS server such as CSACS, and configure the RADIUS server to
    authenticate against the NT/2000 directory."
    this is for client vpn access, btw.
    does this mean if i use MS's radius server (IAS) that I can configure the
    PIX to authenticate against it, and then use IAS to authenticate against
    active directory? Does anyone have any experience w/ this setup?

    also, i am currently using IAS to authenticate wireless users as well
    (aironet 1200's), just fyi...

    -TIA
    John Smith, Dec 1, 2004
    #1
    1. Advertising

  2. John Smith

    mcaissie Guest

    I use PIX + IAS to authenticate Cisco VPN client using their Windows 2000
    domain account without problems.

    in PIX:
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5

    crypto map [cryptoname] client authentication partnerauth

    in IAS:
    -- add client
    ------PIX inside IP
    ------client-vendor = Radius Standard
    ------secret

    --add Remote access policy
    ----- with conditions NAS IP address matches [ PIX inside IP ]
    -----you can add a condition Windows-Group matches ( and create a group in
    wich you put the users you want to give access)
    -----in Profile - Authentication , you need to select only Unencrypted
    authentication


    User account must also have "Remote Access Permission " - "Allow access"


    "John Smith" <> wrote in message
    news:...
    > according to cisco:
    > "Pix Firewall does not directly support WindowsNT/2000 domain
    > authentication. To use Windows NT/2000 domain authentication with the
    > PIX, use a RADIUS server such as CSACS, and configure the RADIUS server to
    > authenticate against the NT/2000 directory."
    > this is for client vpn access, btw.
    > does this mean if i use MS's radius server (IAS) that I can configure the
    > PIX to authenticate against it, and then use IAS to authenticate against
    > active directory? Does anyone have any experience w/ this setup?
    >
    > also, i am currently using IAS to authenticate wireless users as well
    > (aironet 1200's), just fyi...
    >
    > -TIA
    >
    mcaissie, Dec 1, 2004
    #2
    1. Advertising

  3. John Smith

    John Smith Guest

    damn, one more thing to test/implement heheh...

    THANKS!



    "mcaissie" <> wrote in message
    news:Cdqrd.251911$9b.119877@edtnps84...
    >I use PIX + IAS to authenticate Cisco VPN client using their Windows 2000
    >domain account without problems.
    >
    > in PIX:
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5
    >
    > crypto map [cryptoname] client authentication partnerauth
    >
    > in IAS:
    > -- add client
    > ------PIX inside IP
    > ------client-vendor = Radius Standard
    > ------secret
    >
    > --add Remote access policy
    > ----- with conditions NAS IP address matches [ PIX inside IP ]
    > -----you can add a condition Windows-Group matches ( and create a group in
    > wich you put the users you want to give access)
    > -----in Profile - Authentication , you need to select only Unencrypted
    > authentication
    >
    >
    > User account must also have "Remote Access Permission " - "Allow access"
    >
    >
    > "John Smith" <> wrote in message
    > news:...
    >> according to cisco:
    >> "Pix Firewall does not directly support WindowsNT/2000 domain
    >> authentication. To use Windows NT/2000 domain authentication with the
    >> PIX, use a RADIUS server such as CSACS, and configure the RADIUS server
    >> to authenticate against the NT/2000 directory."
    >> this is for client vpn access, btw.
    >> does this mean if i use MS's radius server (IAS) that I can configure the
    >> PIX to authenticate against it, and then use IAS to authenticate against
    >> active directory? Does anyone have any experience w/ this setup?
    >>
    >> also, i am currently using IAS to authenticate wireless users as well
    >> (aironet 1200's), just fyi...
    >>
    >> -TIA
    >>

    >
    >
    John Smith, Dec 1, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,263
    tejlor
    Nov 25, 2003
  2. Spoettel Otmar
    Replies:
    0
    Views:
    548
    Spoettel Otmar
    May 12, 2004
  3. John Smith
    Replies:
    2
    Views:
    3,285
    John Smith
    Dec 3, 2004
  4. Replies:
    0
    Views:
    476
  5. DCS
    Replies:
    2
    Views:
    5,053
    eshan_amiran
    Mar 26, 2009
Loading...

Share This Page